| tiêu đề | D-Link DIR-852 1.00CN B09 Exposure of Sensitive Information Through Data Queries |
|---|
| Mô tả | An authentication bypass vulnerability was discovered in the `getcfg.php` endpoint of some D-Link router firmwares. The vulnerability stems from a logical flaw in the order of operations within the `phpcgi_main` function of the underlying `cgibin` binary when handling user POST parameters and server-side session state. The application first parses user-controllable POST data before appending the server-generated session validation result (e.g., `AUTHORIZED_GROUP=-1`).
Due to a "first-occurrence-priority" principle in the back-end parsing engine, an attacker can inject a forged `AUTHORIZED_GROUP=1` parameter in the POST request to preemptively define the authorization state, causing the legitimate result to be ignored. An unauthenticated remote attacker can exploit this vulnerability to bypass access controls, call `getcfg.php`, and retrieve sensitive device configuration information, such as administrator account credentials. |
|---|
| Nguồn | ⚠️ https://github.com/i-Corner/cve/issues/21 |
|---|
| Người dùng | iC0rner (UID 82839) |
|---|
| Đệ trình | 31/08/2025 14:26 (cách đây 9 các tháng) |
|---|
| Kiểm duyệt | 08/09/2025 07:04 (8 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 323049 [D-Link DIR-852 đến 1.00CN B09 Device Configuration /getcfg.php phpcgi_main tiết lộ thông tin] |
|---|
| điểm | 20 |
|---|